Is it possible to share DKEK, or XKEK, with others HSM devices?


I do have a Nitrokey HSM, with some AES Symmetric keys on it, self generated by the Nitrokey.

I need to give those keys to another HSM device (I do not know yet which one), but can get them only wrapped by the DKEK or XKEK of my Nitrokey.

How can I now which others HSM device are using the same kind of wrapping, to maybe have others than Nitrokey ?
Will I have to use only the XKEK ?
Will HSM devices, but not Smart Cards be able do unwrap my wrapped keys ?

I am not able to find this information on line…


It should be the fastest to ask about this on HSM’s vendor support:

Please let me know, if you would find out anything in this topic.

Yes OK, I am asking.

1 Like

Hello all,

I asked on SmartCard, and Andreas Schwier from Card Contact told me :
The wrap / unwrap format in the SmartCard-HSM or Nitrokey HSM is a proprietary format, as it preserves device specific key meta data. Other HSM will not understand that format, as each HSM has it’s own meta data and key wrap format.

To achieve interoperability, you will need to define your own key wrap / unwrap scheme.

I asked him about the “own key wrap / unwrap scheme”

1 Like

Hi @tkalkanci

Thank you for asking SmartCard.

Are there any other news from SmartCard concerning the different XKEK topics here in this forum?

Hello tobibuhl, not yet…